The awesome-support plugin prior to 3.1.7 for WordPress has a security issue in which shortcodes are allowed in replies.
getawesomesupport awesome support